216.73.217.22

T1651: Cloud Administration Command

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:12

Essential information

MITRE technique ID
T1651
Confidence
100/100
Revoked
No
Published
16/12/2025 19:38
Modified
27/03/2026 01:12
Author / Source
The MITRE Corporation

Platforms

IaaS

Description

Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command) If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) to execute commands in connected virtual machines.(Citation: MSTIC Nobelium Oct 2021)

Kill chain phases

Kill chainPhase
mitre-attack execution

Marking (TLP)

Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (2)

  • Void Manticore uses COBALT MYSTIQUEHandala Hack
    AlienVault Confidence 100

    [VOID MANTICORE](https://attack.mitre.org/groups/G1055) is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).(Citation: Check Point VOID MANTICORE Handala Hack March 2026) Active …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 04:51 · Modified 04/05/2026 16:33
  • CozyDuke uses IRON RITUALIRON HEMLOCK
    The MITRE Corporation Confidence 100

    [APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33

Course Of Action (1)

  • Privileged Account Management mitigates

Tool (2)

  • AADInternals uses
    The MITRE Corporation Confidence 100

    [AADInternals](https://attack.mitre.org/software/S0677) is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.(Citation: AADInternals Github)(Citation: AADInternals Documentation)

    Published 01/02/2022 16:08 · Modified 27/03/2026 01:07
  • Pacu uses
    The MITRE Corporation Confidence 100

    Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.(Citation: GitHub Pacu)

    Published 28/09/2023 15:21 · Modified 27/03/2026 01:07